public void GetSignedPackageVerifierSettings_RepoSignatureInfoCertificateListWithMultipleEntriesCorrectlyPassedToSetting()
{
// Arrange
var target = VerificationTarget.Repository;
var placement = SignaturePlacement.PrimarySignature | SignaturePlacement.Countersignature;
var allSigned = true;
var firstCertFingerprints = new Dictionary <string, string>()
{
{ HashAlgorithmName.SHA256.ConvertToOidString(), $"{HashAlgorithmName.SHA256.ToString()}_first" },
{ HashAlgorithmName.SHA384.ConvertToOidString(), $"{HashAlgorithmName.SHA384.ToString()}_first" },
{ HashAlgorithmName.SHA512.ConvertToOidString(), $"{HashAlgorithmName.SHA512.ToString()}_first" }
};
var secondCertFingerprints = new Dictionary <string, string>()
{
{ HashAlgorithmName.SHA256.ConvertToOidString(), $"{HashAlgorithmName.SHA256.ToString()}_second" },
};
var repoCertificateInfo = new List <IRepositoryCertificateInfo>()
{
new TestRepositoryCertificateInfo()
{
ContentUrl = @"https://unit.test/1",
Fingerprints = new Fingerprints(firstCertFingerprints),
Issuer = "CN=Issuer1",
Subject = "CN=Subject1",
NotBefore = DateTimeOffset.UtcNow,
NotAfter = DateTimeOffset.UtcNow
},
new TestRepositoryCertificateInfo()
{
ContentUrl = @"https://unit.test/2",
Fingerprints = new Fingerprints(secondCertFingerprints),
Issuer = "CN=Issuer2",
Subject = "CN=Subject2",
NotBefore = DateTimeOffset.UtcNow,
NotAfter = DateTimeOffset.UtcNow
}
};
var expectedAllowList = new List <CertificateHashAllowListEntry>()
{
new CertificateHashAllowListEntry(target, placement, $"{HashAlgorithmName.SHA256.ToString()}_first", HashAlgorithmName.SHA256),
new CertificateHashAllowListEntry(target, placement, $"{HashAlgorithmName.SHA384.ToString()}_first", HashAlgorithmName.SHA384),
new CertificateHashAllowListEntry(target, placement, $"{HashAlgorithmName.SHA512.ToString()}_first", HashAlgorithmName.SHA512),
new CertificateHashAllowListEntry(target, placement, $"{HashAlgorithmName.SHA256.ToString()}_second", HashAlgorithmName.SHA256)
};
var repoSignatureInfo = new RepositorySignatureInfo(allSigned, repoCertificateInfo);
// Act
var settings = RepositorySignatureInfoUtility.GetSignedPackageVerifierSettings(repoSignatureInfo, _defaultSettings);
// Assert
settings.AllowUnsigned.Should().BeFalse();
settings.AllowNoClientCertificateList.Should().BeTrue();
settings.AllowNoRepositoryCertificateList.Should().BeFalse();
settings.RepositoryCertificateList.Should().NotBeNull();
settings.RepositoryCertificateList.ShouldBeEquivalentTo(expectedAllowList);
}
private static async Task VerifyPackageSignatureAsync(
string source,
Guid parentId,
PackageIdentity package,
PackageExtractionContext packageExtractionContext,
ISignedPackageReader signedPackageReader,
CancellationToken token)
{
if (packageExtractionContext.SignedPackageVerifier != null)
{
var repositorySignatureInfo = GetRepositorySignatureInfo(source);
var verifierSettings = RepositorySignatureInfoUtility.GetSignedPackageVerifierSettings(
repositorySignatureInfo,
packageExtractionContext.SignedPackageVerifierSettings);
var verifyResult = await packageExtractionContext.SignedPackageVerifier.VerifySignaturesAsync(
signedPackageReader,
verifierSettings,
token,
parentId);
if (!verifyResult.Valid)
{
throw new SignatureException(verifyResult.Results, package);
}
}
}
public void GetSignedPackageVerifierSettings_NullRepoSignatureInfoReturnsFallbackSettings()
{
// Arrange & Act
var settings = RepositorySignatureInfoUtility.GetSignedPackageVerifierSettings(repoSignatureInfo: null, fallbackSettings: _defaultSettings);
// Assert
settings.Should().Be(_defaultSettings);
}
public void GetSignedPackageVerifierSettings_NullFallbackSettingsThrows()
{
// Arrange & Act
Action action = () => RepositorySignatureInfoUtility.GetSignedPackageVerifierSettings(repoSignatureInfo: null, fallbackSettings: null);
// Assert
action.ShouldThrow <ArgumentNullException>();
}
public void GetSignedPackageVerifierSettings_RepoSignatureInfoFalseAllSignedDoesNotSetAllowUnsigned()
{
// Arrange
var repoSignatureInfo = new RepositorySignatureInfo(allRepositorySigned: false, repositoryCertificateInfos: null);
// Act
var settings = RepositorySignatureInfoUtility.GetSignedPackageVerifierSettings(repoSignatureInfo, _defaultSettings);
// Assert
settings.ShouldBeEquivalentTo(_defaultSettings);
}
private static async Task VerifyPackageSignatureAsync(
string source,
Guid parentId,
PackageIdentity package,
PackageExtractionContext packageExtractionContext,
ISignedPackageReader signedPackageReader,
CancellationToken token)
{
if (packageExtractionContext.SignedPackageVerifier != null)
{
var repositorySignatureInfo = GetRepositorySignatureInfo(source);
var verifierSettings = RepositorySignatureInfoUtility.GetSignedPackageVerifierSettings(
repositorySignatureInfo,
packageExtractionContext.SignedPackageVerifierSettings);
var verifyResult = await packageExtractionContext.SignedPackageVerifier.VerifySignaturesAsync(
signedPackageReader,
verifierSettings,
token,
parentId);
if (verifyResult.Signed)
{
await LogPackageSignatureVerificationAsync(source, package, packageExtractionContext.Logger, verifyResult);
// Update errors and warnings with package id and source
verifyResult.Results
.SelectMany(r => r.Issues)
.ForEach(e => AddPackageIdentityToSignatureLog(source, package, e));
if (verifyResult.Valid)
{
// log any warnings
var warnings = verifyResult.Results.SelectMany(r => r.GetWarningIssues());
foreach (var warning in warnings)
{
await packageExtractionContext.Logger.LogAsync(warning);
}
}
else
{
throw new SignatureException(verifyResult.Results, package);
}
}
}
}
public void GetSignedPackageVerifierSettings_RepoSignatureInfoCertificateListWithOneEntryCorrectlyPassedToSetting()
{
// Arrange
var target = VerificationTarget.Repository;
var allSigned = true;
var certFingerprints = new Dictionary <string, string>()
{
{ HashAlgorithmName.SHA256.ConvertToOidString(), HashAlgorithmName.SHA256.ToString() },
{ HashAlgorithmName.SHA384.ConvertToOidString(), HashAlgorithmName.SHA384.ToString() },
{ HashAlgorithmName.SHA512.ConvertToOidString(), HashAlgorithmName.SHA512.ToString() },
{ "1.3.14.3.2.26", "SHA1" },
};
var testCertInfo = new TestRepositoryCertificateInfo()
{
ContentUrl = @"https://unit.test",
Fingerprints = new Fingerprints(certFingerprints),
Issuer = "CN=Issuer",
Subject = "CN=Subject",
NotBefore = DateTimeOffset.UtcNow,
NotAfter = DateTimeOffset.UtcNow
};
var repoCertificateInfo = new List <IRepositoryCertificateInfo>()
{
testCertInfo
};
var expectedAllowList = new List <CertificateHashAllowListEntry>()
{
new CertificateHashAllowListEntry(target, HashAlgorithmName.SHA256.ToString(), HashAlgorithmName.SHA256),
new CertificateHashAllowListEntry(target, HashAlgorithmName.SHA384.ToString(), HashAlgorithmName.SHA384),
new CertificateHashAllowListEntry(target, HashAlgorithmName.SHA512.ToString(), HashAlgorithmName.SHA512)
};
var repoSignatureInfo = new RepositorySignatureInfo(allSigned, repoCertificateInfo);
// Act
var settings = RepositorySignatureInfoUtility.GetSignedPackageVerifierSettings(repoSignatureInfo, _defaultSettings);
// Assert
settings.AllowUnsigned.Should().BeFalse();
settings.AllowNoClientCertificateList.Should().BeTrue();
settings.AllowNoRepositoryCertificateList.Should().BeFalse();
settings.RepositoryCertificateList.Should().NotBeNull();
settings.RepositoryCertificateList.ShouldBeEquivalentTo(expectedAllowList);
}
public void GetSignedPackageVerifierSettings_RepoSignatureInfoTrueAllSignedClearsAllowUnsignedIfSet()
{
// Arrange
var allSigned = true;
var repoSignatureInfo = new RepositorySignatureInfo(allSigned, repositoryCertificateInfos: null);
// Act
var settings = RepositorySignatureInfoUtility.GetSignedPackageVerifierSettings(repoSignatureInfo, _defaultSettings);
// Assert
settings.AllowUnsigned.Should().BeFalse();
settings.AllowIllegal.Should().BeTrue();
settings.AllowUntrusted.Should().BeTrue();
settings.AllowUntrustedSelfIssuedCertificate.Should().BeTrue();
settings.AllowIgnoreTimestamp.Should().BeTrue();
settings.AllowNoTimestamp.Should().BeTrue();
settings.AllowMultipleTimestamps.Should().BeTrue();
settings.AllowUnknownRevocation.Should().BeTrue();
}
public void GetRepositoryAllowList_RepoSignatureInfoCertificateListWithOneEntryCorrectlyPassedToSetting()
{
// Arrange
var target = VerificationTarget.Repository;
var placement = SignaturePlacement.PrimarySignature | SignaturePlacement.Countersignature;
var certFingerprints = new Dictionary <string, string>()
{
{ HashAlgorithmName.SHA256.ConvertToOidString(), HashAlgorithmName.SHA256.ToString() },
{ HashAlgorithmName.SHA384.ConvertToOidString(), HashAlgorithmName.SHA384.ToString() },
{ HashAlgorithmName.SHA512.ConvertToOidString(), HashAlgorithmName.SHA512.ToString() },
{ "1.3.14.3.2.26", "SHA1" },
};
var testCertInfo = new TestRepositoryCertificateInfo()
{
ContentUrl = @"https://unit.test",
Fingerprints = new Fingerprints(certFingerprints),
Issuer = "CN=Issuer",
Subject = "CN=Subject",
NotBefore = DateTimeOffset.UtcNow,
NotAfter = DateTimeOffset.UtcNow
};
var repoCertificateInfo = new List <IRepositoryCertificateInfo>()
{
testCertInfo
};
var expectedAllowList = new List <CertificateHashAllowListEntry>()
{
new CertificateHashAllowListEntry(target, placement, HashAlgorithmName.SHA256.ToString(), HashAlgorithmName.SHA256),
new CertificateHashAllowListEntry(target, placement, HashAlgorithmName.SHA384.ToString(), HashAlgorithmName.SHA384),
new CertificateHashAllowListEntry(target, placement, HashAlgorithmName.SHA512.ToString(), HashAlgorithmName.SHA512)
};
// Act
var allowList = RepositorySignatureInfoUtility.GetRepositoryAllowList(repoCertificateInfo);
// Assert
allowList.ShouldBeEquivalentTo(expectedAllowList);
}
public void GetSignedPackageVerifierSettings_RepoSignatureInfoAllSignedTrue_ClearsAllowUnsignedIfSet()
{
// Arrange
var allSigned = true;
var repoSignatureInfo = new RepositorySignatureInfo(allSigned, repositoryCertificateInfos: null);
// Act
var settings = RepositorySignatureInfoUtility.GetSignedPackageVerifierSettings(repoSignatureInfo, _defaultSettings);
// Assert
settings.AllowUnsigned.Should().BeFalse();
settings.AllowIllegal.Should().BeTrue();
settings.AllowUntrusted.Should().BeFalse();
settings.AllowIgnoreTimestamp.Should().BeTrue();
settings.AllowNoTimestamp.Should().BeTrue();
settings.AllowMultipleTimestamps.Should().BeTrue();
settings.AllowUnknownRevocation.Should().BeTrue();
settings.ReportUnknownRevocation.Should().BeFalse();
settings.VerificationTarget.Should().Be(VerificationTarget.All);
settings.SignaturePlacement.Should().Be(SignaturePlacement.Any);
settings.RepositoryCountersignatureVerificationBehavior.Should().Be(SignatureVerificationBehavior.IfExistsAndIsNecessary);
}
public void GetSignedPackageVerifierSettings_ClientAllowListInfoPassedToSetting()
{
// Arrange
var target = VerificationTarget.Repository;
var allSigned = true;
var certFingerprints = new Dictionary <string, string>()
{
{ HashAlgorithmName.SHA256.ConvertToOidString(), HashAlgorithmName.SHA256.ToString() },
{ HashAlgorithmName.SHA384.ConvertToOidString(), HashAlgorithmName.SHA384.ToString() },
{ HashAlgorithmName.SHA512.ConvertToOidString(), HashAlgorithmName.SHA512.ToString() },
{ "1.3.14.3.2.26", "SHA1" },
};
var testCertInfo = new TestRepositoryCertificateInfo()
{
ContentUrl = @"https://unit.test",
Fingerprints = new Fingerprints(certFingerprints),
Issuer = "CN=Issuer",
Subject = "CN=Subject",
NotBefore = DateTimeOffset.UtcNow,
NotAfter = DateTimeOffset.UtcNow
};
var repoCertificateInfo = new List <IRepositoryCertificateInfo>()
{
testCertInfo
};
var expectedClientAllowList = new List <CertificateHashAllowListEntry>()
{
new CertificateHashAllowListEntry(target, HashAlgorithmName.SHA256.ToString(), HashAlgorithmName.SHA256)
};
var expectedRepoAllowList = new List <CertificateHashAllowListEntry>()
{
new CertificateHashAllowListEntry(target, HashAlgorithmName.SHA256.ToString(), HashAlgorithmName.SHA256),
new CertificateHashAllowListEntry(target, HashAlgorithmName.SHA384.ToString(), HashAlgorithmName.SHA384),
new CertificateHashAllowListEntry(target, HashAlgorithmName.SHA512.ToString(), HashAlgorithmName.SHA512)
};
var repoSignatureInfo = new RepositorySignatureInfo(allSigned, repoCertificateInfo);
var fallbackSettings = new SignedPackageVerifierSettings(
allowUnsigned: true,
allowIllegal: true,
allowUntrusted: true,
allowUntrustedSelfIssuedCertificate: true,
allowIgnoreTimestamp: true,
allowMultipleTimestamps: true,
allowNoTimestamp: true,
allowUnknownRevocation: true,
allowNoRepositoryCertificateList: true,
allowNoClientCertificateList: false,
repoAllowListEntries: null,
clientAllowListEntries: expectedClientAllowList);
// Act
var settings = RepositorySignatureInfoUtility.GetSignedPackageVerifierSettings(repoSignatureInfo, fallbackSettings);
// Assert
settings.AllowUnsigned.Should().BeFalse();
settings.AllowNoClientCertificateList.Should().BeFalse();
settings.AllowNoRepositoryCertificateList.Should().BeFalse();
settings.ClientCertificateList.Should().NotBeNull();
settings.ClientCertificateList.ShouldBeEquivalentTo(expectedClientAllowList);
settings.RepositoryCertificateList.Should().NotBeNull();
settings.RepositoryCertificateList.ShouldBeEquivalentTo(expectedRepoAllowList);
}
